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This paper presents a transformational approach for model checking two important classes of met- 
ric temporal logic (MTL) properties, namely, bounded response and minimum separation, for non- 
hierarchical object-oriented Real-Time Maude specifications. We prove the correctness of our model 
checking algorithms, which terminate under reasonable non-Zeno-ness assumptions when the reach- 
able state space is finite. These new model checking features have been integrated into Real-Time 
Maude, and are used to analyze a network of medical devices and a 4-way traffic intersection system. 

I Introduction 

Real-Time Maude [ 20 ] is a formal specification language and a high-performance simulation and model 
checking tool that extends the rewri ting-logic-based Maude system [8 ] to support the formal specification 
and analysis of real-time systems. Real-Time Maude differs from timed-automaton-based tools, such as 
Uppaal and KRONOS 11271 . by emphasizing ease and expressiveness of specification over algorithmic 
decidability of key properties. In particular, Real-Time Maude supports the definition of any computable 
data type, unbounded data structures, different communication models, and so on. 

Because of its expressiveness, Real-Time Maude has been successfully applied to a wide range of 
advanced state-of-the-art applications that are beyond the pale of timed automata, including the OGDC 
density control [22] and LMST topology control [ 10] protocols for wireless sensor networks, the CASH 
scheduling algorithm with capacity sharing features that require unbounded queues |[T6l . the AER/NCA 
active networks multicast protocol ll2~D . and the NORM multicast protocol developed by the IETF lfl3ll . 
Real-Time Maude's natural model of time, together with its expressiveness, also makes it ideal as a 
semantic framework in which real-time modeling languages can be given a formal semantics; such lan- 
guages then also get Real-Time Maude's formal analysis capabilities essentially for free. Languages 
with a Real-Time Maude semantics include: a timed extension of the Actor model 0, the Ore web 
services orchestration language JH, a language developed at DoCoMo laboratories for handset appli- 
cations HI, a behavioral subset of the avionics standard AADL lfl31 . the visual model transformation 
language e-Motions |[25l . real-time model transformations in MOMENT2 Q, and a subset of Ptolemy 

II discrete-event models |4|. 

Real-Time Maude is particularly suitable to model real-time systems in an object-oriented style, 
and the paper [20] identifies some useful specification techniques for object-oriented real-time systems. 
All the concrete applications mentioned above, and many of the language semantics applications, are 
specified in an object-oriented way using those techniques. 

Real-Time Maude provides a spectrum of analysis methods, including simulation through timed 
rewriting, untimed temporal logic model checking, and (unbounded or time-bounded) search for reach- 
ability analysis. However, up to know, Real-Time Maude has lacked the ability to model check timed 
(or metric) temporal logic properties. Such properties are obviously very important in many real-time 
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systems. For example, in case of an accident the airbag must not just inflate eventually, but within very 
tight time bounds. For timed automata, such metric temporal logic model checking is decidable^, and 
implemented in the KRONOS tool Ir27l . For the much more expressive Real-Time Maude formalism, 
supporting metric temporal logic checking, is obviously a much harder task. 

This paper reports on our first attempts at providing metric temporal logic model checking for Real- 
Time Maude. We have taken the following pragmatic choices: 

1. Supporting the model checking of only a few classes of metric temporal logic properties, namely, 
the ones that were needed in the above-mentioned applications. These properties are: 

• Bounded response: each /j-state must be followed by a g-state within time r (where p and q 
are state propositions). One example of a bounded response property is "whenever the venti- 
lator assisting the patient's breathing is turned off, it must be turned on within 5 seconds". 

• Minimum separation: there must be at least time r between two non-consecutive p-states. For 
example, "the ventilator should be turned on continuously for at least two minutes between 
two pauses." 

2. Supporting such model checking only for flat object-oriented models specified according to the 
guidelines mentioned above. But as already said, this class of systems includes all the concrete 
Real-Time Maude applications listed above. 

What is gained by restricting the classes of systems and properties is efficiency. Instead of implementing 
the model checking algorithms from scratch, we pursue a transformational approach, where we take ad- 
vantage of Maude's high performance analysis commands and transform a metric model checking prob- 
lem M,L,t \=<p into a problem M,L,t \= that can be analyzed by Real-Time Maude's efficient search 
and LTL model checking commands. Our transformations add a clock which measures, respectively, the 
time since the earliest (j> A -<q) -state that has not been followed by a g-state (for bounded response) and 
the last time since we saw a p-state (for minimum separation). An important property is that - under 
reasonable time-divergence assumptions about the executions with the selected time sampling strategy - 
if the original reachable state space is finite, then the model checking commands are guaranteed to termi- 
nate. Furthermore, our model checking commands are semi-decision procedures for the invalidity of the 
metric properties for time-diverging systems. The transformations have been implemented in Real-Time 
Maude and the corresponding model checking commands have been made available in the tool. We have 
applied the new commands on two case studies, one on the safe interoperation of medical devices lPl4l 
and one on a fault-tolerant controller for traffic lights in an intersection [17]. 

We prove the correctness of the transformation under reasonable assumptions, such as the real- 
time rewrite theory being tick-invariant [19]. Since real-time rewrite theories do not have a "region- 
automaton"-like discrete quotient, for dense time Real-Time Maude uses time sampling strategies to 
execute the tick rules. That is, in model checking analyses for dense-time models, only a subset of all 
possible behaviors are analyzed. Therefore, Real-Time Maude analyses are in general not (both) sound 
and complete; however, for object-oriented specifications we have identified easily checkable conditions 
that guarantee soundness and completeness of our analyses also for dense-time systems [19]. 

This paper is organized as follows. Section[2]introduces Real-Time Maude and metric temporal logic. 
Section [3] presents the properties that we address and the corresponding transformations, whose correct- 
ness is proved in Section [4] Section [5] shows two case studies of metric temporal logic model checking 
in Real-Time Maude. Section[6]discusses related work, and Section [7] gives some concluding remarks. 



for finite behaviour, see, e.g., |7J 
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2 Preliminaries 
2.1 Real-Time Maude 

In Real-Time Maude |20l , real-time systems are modeled by a set of equations and rewrite rules. The 
rewrite rules are divided into instantaneous rules, that model changes that are assumed to take zero time, 
and tick rules that model time advance. Formally, a Real-Time Maude timed module specifies a real-time 
rewrite theory [ 18 ] of the form M = (L,E,IR, TR), where: 

• (£,£■) is a membership equational logic ® theory with £ a signature^ and E a set of confluent and 
terminating conditional equations. (E,£) specifies the system's state space as an algebraic data 
type, and must contain a specification of a sort Time modeling the (discrete or dense) time domain. 
We denote by Ttjg s all ground terms of sort s. 

• IR is a set of (possibly conditional) labeled instantaneous (rewrite) rules specifying the system's 
instantaneous (i.e., zero-time) local transitions, written crl [/] : t => t' if cond, where / is 
a label. Such a rule specifies a one-step transition from an instance of t to the corresponding 
instance of t'. The rules are applied modulo the equations £"J1 

• TR is a set of tick (rewrite) rules, written with syntax 

crl [/] : it} => {?'} in time Z if cond . 
that model time elapse. {_} is a built-in constructor of sort GlobalSystem, and z is a term of sort 
Time that denotes the duration of the rewrite. 
The initial state must be a ground term of sort GlobalSystem and must be reducible to a term of the 
form {?} using the equations in the specification. The form of the tick rules ensures that time advances 
uniformly in the whole system. 

Following [ 18 ], we write t — >■ t' when t can be rewritten into t' in time r by a one-step rewrite. Note 
that instantaneous steps have duration 0. A (timed) path % in 3% is an infinite sequence 

n = t 4 h A- t 2 . . . 

such that either 

• for all i € N, -4- f,-+i is a one-step rewrite in M; or 

• there exists a k € N such that tj -V is a one-step rewrite in S% for all < i < k, there is no 
one-step rewrite from % in ffl, and tj = % and rj-\ = for each j > k. 

We denote by Paths(3?) tQ the set of all timed paths of 3& starting in to. We call a path % = to h ^t%... 
time-divergent iff for all r € M there is an i G N such that Y!k=o r k > r - Paths that are not time-divergent 

are called time-convergent. We define 7l k = tk ^ A term t' is reachable from ?o in St in time 

r iff there is a path % = to . . . tk . . . with tk = t' and r = Y^=o r i- 

The Real-Time Maude syntax is fairly intuitive; we refer to [8] for a detailed description. For exam- 
ple, a function symbol / is declared with the syntax op f : s\ ...s n -> s, where s\ ... s n are the sorts of 
its arguments, and s is its (value) sort. Equations are written with syntax eq t = t', and ceq t = t' if cond 
are conditional equations. The mathematical variables in such statements are declared with the keywords 
var and vars. 

In object-oriented Real-Time Maude modules, a class declaration 
2 That is, E is a set of declarations of sorts, subsorts, and function symbols. 

3 £ is a union E'UA, where A is a set of equational axioms such as associativity, commutativity, and identity, so that 
deduction is performed modulo A. Operationally, a term is reduced to its E'-normal form modulo A before any rewrite rule is 
applied. 



120 



Model Checking MTL Properties of Object-Oriented Real-Time Maude Specifications 



class C I att\ : s\, ... , att n : s n . 

declares a class C with attributes att\ to att n of sorts s\ to s n , respectively. An object of class C in 
a state is represented as a term < O : C | a«i : vah,...,att„ : val n > of sort Object, where O, of sort 
(Did, is the object's identifier, and where val\ to val n are the current values of the attributes att\ to att n , 
respectively. In a concurrent object-oriented system, the state is a term of sort Configuration. It has 
the structure of a multiset made up of objects and messages. Multiset union for configurations is denoted 
by a juxtaposition operator (empty syntax) that is declared associative and commutative, so that rewriting 
is multiset rewriting supported directly in Real-Time Maude. The dynamic behavior of concurrent object 
systems is axiomatized by specifying its transition patterns by rewrite rules. For example, the rule 

rl [1] : m(0,w) < : C I al : 0, a2 : y, a3 : w > => 

< : C I al : T, a2 : y, a3 : y + w > dly (m' (0 ' ) ,x) . 

defines a parametrized family of transitions (one for each substitution instance), which can be applied 
whenever the attribute a 1 of an object of class C has the value 0, with the effect of altering the attributes 
al and a3 of the object. Moreover, a message m, with parameters and w, is read and consumed, and 
a new message m' (0' ) is sent with delay x (see [20]). "Irrelevant" attributes, such as a2, need not be 
mentioned in a rule. 

A flat (or non-hierarchical) object-oriented specification is one where all rewrites happen in the 
"outermost" configuration; that is, no attribute value t rewrites to some t' ^ t. 

The specification of time-dependent behavior of object-oriented real-time systems follows the tech- 
niques given in [20]. Time elapse is modeled by the tick rule 

var C : Configuration . var T : Time . 

crl [tick"] : {C} => {delta(C, T)} in time T if T <= mte(C) [nonexec] . 

The function delta defines the effect of time elapse on a configuration, and the function mte defines the 
maximum amount of time that can elapse before some action must take place. These functions distribute 
over the objects and messages in a configuration and must be defined for all single objects and messages 
to define the timed behavior of a system. The tick rule advances time nondeterministically by any amount 
T less than or equal to mte (C) . To execute such rules, Real-Time Maude offers a choice of time sampling 
strategies, so that only some moments in time are visited. The choice of such strategies includes: 

• Advancing time by a fixed amount A in each application of a tick rule. 

• The maximal strategy, that advances time to the next moment when some action must be taken, as 
defined by mte. This corresponds to event-driven simulation. 

Formal Analysis. A Real-Time Maude specification is executable, under reasonable conditions, and 
the tool offers a variety of formal analysis methods. The rewrite command simulates one fair behavior 
of the system up to a certain duration. The search command uses a breadth-first strategy to analyze 
all possible behaviors of the system, by checking whether a state matching a pattern and satisfying a 
condition can be reached from the initial state. Such a pattern typically describes the negation of an 
invariant, so that the search succeeds iff the invariant is violated. The command which searches for n 
states satisfying the pattern search criterion has syntax 

(utsearch [«] t =>* pattern such that cond .) 

Real-Time Maude also extends Maude's linear temporal logic model checker to check whether each 
behavior, possibly up to a certain time bound, satisfies a temporal logic formula. State propositions are 
terms of sort Prop, and their semantics should be given by (possibly conditional) equations of the form 
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{statePattern} |= prop = b 

for b a term of sort Bool, which defines the state proposition prop to hold in all states {?} where it} 
I = prop evaluates to true. We use the notation n for the set of propositions and Ln for the (implicit) 
labeling function assigning to each state the set of propositions that hold in the state. A temporal logic 
formula is constructed by state propositions and the Boolean and temporal logic operators discussed in 
Section [231 The time-bounded model checking command has syntax 

(mc t I =t formula in time <= T . ) 

for initial state t and temporal logic formula, formula . 

Since the model checking commands execute tick rules according to the chosen time sampling strat- 
egy, only a subset of all possible behaviors is analyzed. Therefore, Real-Time Maude analyses are in 
general incomplete for a given property. However, in lfl9l we have given easily checkable conditions for 
ensuring that Real-Time Maude analyses are indeed sound and complete. 

It is also worth remarking that in the rest of the paper, we implicitly consider the different analyses 
w.r.t. Real-Time Maude executions. That is, for dense time, by "a rewrite theory 3t' in the following 
sections we typically mean the real-time rewrite theory M tss that has been obtained from an original 
time-nondeterministic real-time rewrite theory & by applying the theory transformation corresponding 
to using the time sampling strategy tss when executing the tick rules lf20l . 

2.2 Metric Temporal Logic 

Linear temporal logic (LTL) [24] allows us to describe properties of paths of a given system. The states 
are labeled with elements from a finite set IT of atomic propositions. Besides propositions and the usual 
Boolean operators, LTL formulae can be built using the temporal until operator. Intuitively, the formula 
p U q ("p until q") is satisfied by a path if the property q becomes valid within an arbitrary but finite 
number of steps and the property p constantly holds on the path before. As syntactic sugar we define 
O p ("eventually p", defined as true U p) that is satisfied by a path if p holds somewhere on the path, 
and □ p ("globally p", defined as ^{true U (-<p))) expressing that p holds on the whole path. The weak 
until operator p W q is defined as {p U q) V (□ p). 

For time-critical systems we need more expressive power to state that some actions should happen 
within some time bounds. There are different extensions of LTL to capture also timed properties (see 
for an overview). In this paper, we use the extension metric temporal logic (MTL) ifTTTl . that adds time 
interval bounds to the temporal operators. For the until operator, the formula p U r f , f7 \ q states that p U q 
holds and, furthermore, q occurs within the time interval [?i,?2]- 

Formulae of MTL are built using the following abstract syntax: 

(p ::= true \ p \ ~><p \ <pA<p \ q> U[ tl , t2 ] q> 

with p € IT and either t\ ,t% £ R with t\ < ti and t% > 0, or t\ G R and t% = °°. Note that E/[q )0 o] , for which we 
just write U, corresponds to the unbounded until of LTL. Besides the usual Boolean operators V,— >, . . . 
we define as syntactic sugar Or^i (p as true U[ tl . t2 \ <P and □f fl ^ 2 i (p as ^(true C7r fl)fe i(-iip)). If the lower 
bound t\ is 0, we use the notation q>i U< t2 q>i, and analogously for the other operators. 

Given a real-time rewrite theory S%, the set of states is defined as T^/^ GlobalSystem . A set II of 
(possibly parametric) atomic propositions on those states can be defined equationally in a protecting 
extension (Eun,£UD) D (£,£), and give rise to a labeling function Ln : Tj;/ £ GlobalSystem — > &(H) in 
the obvious way (H. Adapting the pointwise semantics for MTL given in O, we can define satisfaction 
of MTL formulas for real-time rewrite theories over timed paths as follows: 
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Definition 2.1. Let fflbe a real-time rewrite theory, Lri a labeling function on M, and % = t§ 1 -%t\ . . . 
a timed path in 2%. The satisfaction relation of an MTL formula for the path % in 2% is then defined 
recursively as follows: 

always holds 
iffp € Ln(fo) 
iffM,L u ^V=<P 

iffM,L n ,n \= <pi and &,L n ,n \= (fo 
q>i iff there exists ajGN such that 2?,Ln, n J \= (fa, 

&,Ln, n' \= <Pi for all < i < j, and r a < YlZo r k < r b- 
For a state to of sort GlobalSystem, the satisfaction relation of an MTL formula (f> for the state to in & 
is defined as: 

&,L n ,t \= <p Vtt G Paths(&) t0 &,L n ,n \= <p 



?,Lt\,K \= true 
?,L u ,n \=p 
?,L u ,7l\=^(p 
?,L n ,x \= <pi A(p 2 
?,L n ,n H <Pi U\r a ,r b 



3 Model Checking MTL Properties of Object-Oriented Specifications 

Real-Time Maude currently does not support MTL model checking. However, some MTL formulas can 
already be model checked in Real-Time Maude using the time-hounded search and LTL model checking 
commands. For example, we can model check the time-bounded until property ^,Ln,fo |= P U< r q, for 
p and q state properties from n, using the time-bounded model checking command 

(mc tO I =t p U q in time <= r . ) 

We can also analyze the properties ^,Ln,?o \= D <r P and ^,Ln,?o \= Q<r P in a similar way. 
In this paper we present analysis algorithms for the following two classes of MTL formulae: 

1. Bounded response: □(/?—>■ (0< r q)) 

2. Minimum separation: □ (p — > {p W (□<,• ~<p))) 

We propose to transform an MTL model checking problem Ln, to \= q> into an untimed LTL model 
checking problem ,^,Ln,?o \= <P- Both transformations add a clock to the system: for model checking 
bounded response properties, this clock measures the time since p held without q holding in the mean- 
time; for minimum separation properties, the clock measures the distance between two non-consecutive 
/^-states. We take care not to increase the clocks "unnecessarily," so that if the state space reachable 
from to in ^ is finite, then the state space reachable from to in ^ remains finite, under reasonable time- 
divergence assumptions on the executions. 

We assume that our specifications are tick-invariant |fl9l with regard to the state propositions occur- 
ring in the formula, i.e., a tick step does not change the valuation of the atomic propositions occurring in 
the formula. Most systems, including the two case studies in the paper, satisfy tick-invariance, since the 
state propositions usually do not involve the value of clock and timer attributes in the system. 



3.1 Bounded response: □ (/?—>■ 0< r q) 

A bounded response property states that the system always reacts to a request p with an action q within 
time r. For example, in our medical devices case study, the ventilation machine, helping a sedated patient 
to breathe, should not be stopped for more than two seconds at a time; that is, each state in which the 
machine is pausing must be followed by a state in which the machine is breathing in two seconds or less. 
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The MTL model checking problem 

M,L n ,t Q \=0(p — y 0< r q) 
for p,q E n state propositions, can be transformed into the untimed model checking problem 

& r £m% \= D — > Oq) A □ (clock(c BR ) < r) 

where clock{cBR) is the value of a "clock" that measures the time since p held without q holding in 
the meantime. For real-time rewrite theories having only time-divergent paths we could skip the first 
condition □ (p — > Oq), that assures, that we also consider all relevant time-convergent paths as possible 
counterexamples. 

We add a "clock" cbr to the system, and update it as follows: 

i) If the clock cbr is turned off, and a state satisfying p A ->q is reached, then the clock is set to and 
is turned on. 

ii) The clock is turned off when a state satisfying q is reached. 

iii) A clock that is on is increased according to the elapsed time in the system. 

For the very useful class of "flat" object-oriented specifications formalized according to the guide- 
lines in EUl — all advanced Real-Time Maude applications have been so specified — we can automate the 
transformation from M,Ln,tQ,p,q,r to &,Ln,to as follows: 

1 . Add the following class for the clock: 

class Clock I clock : Time, status : OnOff . 
sort OnOff . ops on off : -> OnOff [ctor] . 

2. Add a clock object to the initial state {?o>, so that the initial state becomes 
{?0 < Cbr '■ Clock I clock : 0, status : x >} 

where cbr is a constant of sort Oid and x is on if p € L({?q}) and q 0L({?o})> an d is off otherwise. 
Note that p € L({fo}) can be checked in Maude by checking whether itoJ I = p = true. 

3. We keep Real-Time-Maude's object-oriented tick rule and extend the functions delta and mte to 
clocks as follows, ensuring that mte is not affected by the new clock object: 

eq delta(< c BR : Clock I status : on, clock : T >, T') = 

< c BR : Clock I clock : if T <= r then T + T' else T fi > . 

eq delta(< c BR : Clock I status : off >, T') = < c BR : Clock I > . 

eq mte(< c BR : Clock I >) = INF . 

Notice that the delta function ensures that the clock value never increases more than necessary, 
preserving finiteness of the reachable state space from the initial state. 

4. Each instantaneous rule t => t' if cond or {?} => it'} if cond in M is replaced by the rules: 

it REST < c BR : Clock I status : on >} 

=> {t' REST < c BR : Clock I >} if it' REST} |= q =/= true and cond 
(if the clock is on, then it continues to stay on if a state satisfying -<q is reached); 



124 



Model Checking MTL Properties of Object-Oriented Real-Time Maude Specifications 



it REST < c BR : Clock I status : on >} 

=> it 1 REST < c BR : Clock I status : off >} if it' REST} |= q and cond 

(if the clock is on, then it is turned off when a state satisfying q is reached); 

it REST < c BR : Clock I status : off >} 

=> it' REST < c BR : Clock I clock : 0, status : on >> 

if it' REST } |= p and it' REST} |= q =/= true and cond 

(if the clock is off, then it is set to and turned on when a state satisfying p A ->q is reached); 

it REST < c BR : Clock I status : off >} 
=> it' REST < c BR : Clock I >} 

if it' REST} |= q or it' REST} |= p =/= true and ccwu/ 

(if the clock is off, then it continues to stay off if a state satisfying q V ->p is reached). 

In the above rules REST is a variable of sort Configuration that does not appear in the original 

rule. REST matches the "other" objects and messages in the state. 

Summarizing, the BR-transformation transforms a real-time rewrite theory 3$, a labeling function Ln of 
ffl with p,q G n, an initial state to of St, and abounded response formula □ (p — > 0< r q) into the triplet 
8%, Ln, and to by 

• transforming ffl into ffl according to the points [TJ [33 and [4] above; 

• transforming Ln into Ln by adapting its domain to the transformed state space, but letting the la- 
beling otherwise unchanged, i.e., Ln({? }) = Ln({? o}) for all states t of 3& and all Clock instances 
o; 

• extending the initial state to according to point [2] above, yielding to- 

The validity of the bounded response property □(/?—> 0< r q) is equivalent to □ (p — > O q) and the 
clock value being less than or equal to r in each reachable state of the transformed module. The latter 
property can be defined as an atomic proposition 

op clock' <=_ : Time -> Prop [ctor] . 

eq {REST < c BR : Clock I clock : Tl >} |= clock <= T2 = (Tl <= T2) . 

and hence bounded response can be analyzed using Real-Time Maude's untimed LTL model checking 
features. We have implemented the above model transformation in Real-Time Maude. We have also 
implemented a bounded response model checking command in the tool based on this transformation. 
However, for pragmatic reasons, we do not model check the property M,Ln,to \= □ (p — > O q) A 
□ {clock{cBR} < r). Instead, we have observed the unsurprising fact that, with time sampling strategy 
executions, all our large Real-Time Maude applications are modeled as time-diverging theories. In these 
cases, bounded response reduces to checking M,Lji,to \= □ (clock{cBR) < r), which can be analyzed by 
the following search command that searches for a state in which the clock value is greater than r. 

(utsearch [1] {fo < c br '■ Clock I clock : 0, status : x >} =>* 

{C : Configuration < c BR : Clock I clock : T:Time >} such that T:Time > r .) 

where x is on if p € L({?o}) and q L({?o}), and is off otherwise. The practical difference is that, 
whereas the LTL model checking does not terminate when the state space reachable from to in 3? is 
infinite, the above search command provides a semi-decision procedure for the invalidity of the bounded 
response property. For an example of the benefit of this time-divergence-assuming implementation, 
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consider the bounded response analysis of the medical systems example in Section[5] The reachable state 
space is infinite because of the clock used in the original model; hence any direct LTL model checking 
would not terminate, but we see that our bounded response command indeed returns a counterexample 
falsifying the bounded response property. 

In our tool, the bounded response model checking command (for the automatic B/?-transformation 
and the execution the Real-Time Maude search) is written with syntax 

(br t |= p => <>le( r ) q .) 

3.2 Minimum Separation: □ (p — > (p W U< r -*p)) 

Given a real-time rewrite theory Si with a labeling function Ln, p € IT, all runs of g% are made up of 
a sequence of blocks for which p and ->p hold alternatingly (see Figured]). The minimum separation 
property requires that each -1/7-block occurring after a /j-block must have a minimum duration r. I.e., if 
the run for which we check the property starts with a /?-block, then all -i/?-blocks of the run must have 
a duration at least r. Otherwise, if the run starts with a -1/7-block, then the same holds for all -ip-blocks 
except the first one at the beginning of the run. 



> r > r 




^p p ->p p ^p 



Figure 1: The form of runs satisfying the minimum separation property □ (p —> (p W D< r -<p)). The 
p- and -ip-blocks may also be infinite. 

We transform the MTL model checking problem 

into the untimed model checking problem 

M,Ln,tQ \= □ (status(cMs) = on V clock(cMs) > r ) 

where clock(cMs) is the value of a "clock" that measures the time duration since we saw a p-state. That 
means, to model check minimum separation properties, we add a "clock" cms to the system, which is 
initially turned off and set to r: in this way we ensure that an eventual initial -1/7-block does not cause a 
violation of the property. We update the clock as follows: 

i) If we move from a /estate to a -1/7-state, then the clock is turned on and reset to 0. 

ii) The clock is turned off when a state satisfying p is reached. 

iii) A clock that is on is increased according to the elapsed time in the system. 

We can automate the transformation to search for counterexamples of a minimum separation property 
of the above form as follows: 
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1. Add the same class for the clock as in Section 1370 

class Clock I clock : Time, status : OnOff . 

2. Add a clock object to the initial state {to}, yielding 
{fo < c ns '■ Clock I clock : r, status : off >} 
where cms is a constant of sort Did. 

3. We keep Real-Time-Maude's object-oriented tick rule and extend the function delta and mte to 
clocks exactly as in Section [37X1 

4. Each instantaneous rule t => t' if cond or {?} => {/} if cond in & is replaced by the rules: 

{f REST < Cms '■ Clock I status : on >} 

=> it' REST < c MS ■ Clock I >} if {f' REST} |= p =/= true and cond 
(if the clock is on, then it continues to stay on, if a state satisfying ->p is reached); 
{f REST < Cms '■ Clock I status : on >} 

=> it' REST < cms ■ Clock I status : off >} if it' REST} |= p and cond 

(if the clock is on, then it is turned off when a state satisfying p is reached); 

it REST < cms ■ Clock I status : off >} 
=> it' REST < c MS ■ Clock I >} 

if ({? REST} |= p =/= true or it' REST} |= p) and cond 

(the clock remains off, if either we are in a state satisfying -\p or we move to a state satisfying p; 
the first condition is needed to avoid switching the clock on in initial -ip-blocks); 

it REST < cms ■ Clock I status : off >} 

=> it' REST < cms ■ Clock I status : on, clock : >} 

if it REST} |= p and {t 1 REST} |= p =/= true and cond 

(if the clock is off, and we move from a state satisfying p to a state satisfying -\p, then the clock is 
turned on and reset to 0). 

Again, REST is a variable of sort Configuration that does not appear in the original rule. 
The MS -transformation therefore transforms a real-time rewrite theory ffl, a labeling function Ln with 
p £ IT, an initial state to of ffl, a state proposition p, and a time value r into the triple ffi, Ln, and to by 

• transforming ffl into & according to the points [TJ[3l and [4] above; 

• transforming Ln into Ln by adapting its domain to the transformed state space, but letting the 
labeling otherwise unchanged, i.e., Ln({r o}) = Ln({f }) for all states t of ffl and all Clocks o; 

• extending the initial state to according to point [2] above, yielding to- 

Checking the minimum separation property □ (p — >■ (p W D< r ->/>)) is equivalent to checking that the 
validity of p implies that the clock value is larger than or equal to r in each state in the transformed 
module. The violation of the latter can be checked by the following search command that searches for a 
state in which the clock is off (which implies that p holds) and the clock value is smaller than r: 

(utsearch [1] {fo < c M s '■ Clock I clock : r, status : off >} =>* 

{C : Configuration < c M s '■ Clock I clock : T:Time, status : off >} 
such that T:Time < r .) 

The above MS-transformation has been integrated in Real-Time Maude, and model checking the 
above minimum separation property can be done with the Real-Time Maude command 
(ms fo I = p separated by >= r . ) 
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4 Correctness of Bounded Response Model Checking 

In this section we give the correctness proof for our bounded response model checking. The correctness 
proof for minimum separation, which we omit due to lack of space, is quite similar, and can be found in 
an extended version of this paper lfl2ll . 

To increase readability, in the following we use the notation n \= instead of S?,Ln, 71 \= <j) if and 
Ln are clear from the context. 

The following lemma states that the ^^-transformation only adds some observators to the original 
systems, without modifying its behavior. 

Lemma 4.1. Let S% be a real-time rewrite theory, Ln with p,q € II a labeling function for S%, and let 
{?o} be an initial state for Let Ln, and {to} be the result of the BR-transformation applied to Si, 
Ln, and t^ 

Then for each path {to} -A- {?i } -V ... in S? there is a path {to} {t[} — V . . . in M such that, for 
all i, there exists t[ with tj = tj t\ and vice versa, for all paths {to} {t[} -V . . . in M there is a path 
{k)} {h } A . . . in St such that, for all i, ti = t\ t[for some t\. 

Proof. Adding the clock class and a clock object to the initial state does not affect the original part of the 
state, and defining mte of the additional clocks to be the infinity value INF ensures that the new clocks 
don't modify the timed behavior of the (original) system. Furthermore, the transformation replaces each 
original rule by a number of new rules, such that (1) each new rule acts on the original state part as the 
original rule, and (2) for each original rule and each extended state to which the original rule is applicable 
there is exactly one new rule that is applicable. (1) assures that the new rewrites yield the same result for 
the original part of the state and (2) assures that no original paths are blocked by the new rules. Thus the 
transformation does not modify the original behavior. 

Let {t } 4 {h} A ... be a path of St. We define 

ti = t{ < cbr ■ Clock | clock : X/, status : y,- > 

for all i with E T^ Time and y,- G T^ iDn0 ff given inductively as follows: 

• xo = 0, and yo = on if p G Ln({?o}) A Q Ln({h)}) and yo = off otherwise. 

• For all i, if there is a tick rule yielding the rewrite {f,-} A then we distinguish between the 
following cases: 

- If yi = on and Xj < r, then we define y i+ i = on and x, + i = x; + r,-. 

Note that with the definition of the delta equation we have {tf\ A {Ji + \ }. 

- If y, = on and x, > r, then we define y, + i = on and x,+i = X;. 
Note that with the definition of delta we have {tf\ A {TJ+i }. 

- Else, if yi = off, we define y, + i = off and x i+ i = x,-. 

With the definition of the delta equation we have {tf\ A {ti + \ }. 

• For all i, otherwise there is an instantaneous rule t => t' if cond or {?} => it'} if cond, 
yielding the rewrite {?,•} A with r ; - = 0. 

- If yi = on and } I = q =/= true then we set y, + i = on and x,+i = x,. 
Note that the first replacement of the original rule yields {tj} A- {7J + i }. 

- If y, = on and } I = q then we set y, + i = of f and x i+ i = x,-. 
Note that the second replacement of the original rule yields {tf\ A 
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- If yi = of f , {ti + i} I = p, and {/7+1} I = q =/= true then we set y i+ \ = on and x, +1 = 0. 
Note that the third replacement of the original rule yields {7J} A {7J+i }. 

- Else, if yt = off and either {ti+i} I = q or I = =/= true then we set = off 
andx, + i =*,-. 

Note that the fourth replacement of the original rule yields {tf} -4- 

Above we made use of the fact that by definition for^ach i, the corresponding labeling Ln({zV}) in 3% 
is equal to Ln ({*;})■ Clearly, all {7J} are states of Especially, {To} results from {fo} by the BR- 
transformation. Thus (to} A {Fi} A . . . is a path of 

'V: Given a path |7 } 4 {Ti} A . . . of such that 

f / = < cbr ■ Clock | clock : jc,-, status : > 

for each z, we show that {to} A {^} A . . . is a path of 

• For all z, if {zv} A {zAi } can be gained by a tick rule in then clearly also {?,-} A {f,+i} can be 
gained by a tick rule in 

• Otherwise if {Tf} A {zV+i} can be gained by an instantaneous rule in 38, then the original rule 
which got replaced by the above one yields {*,■} A {z,-+i} in £%. 



The following lemma clarifies the semantics of the bounded response property: On the one hand, 
if along a path after a p event r time long no q event occurs, then the path is a counterexample for 
the property. On the other hand, if a path violates the bounded response property, then either after a p 
event r time long no q event occurs, or the path is time-convergent and violates the unbounded property 

□ (p _> (o q )y 

Lemma 4.2. Let & be a real-time rewrite theory, Ln with p,q Gil a labeling function for and 
ft = {to} A {ti} A ... a path of Then 



li,j.0<i<j A {7I l \=p) A (yi<k<j. % k \f=q) A 



(^<r ?))] 



and 

->(o< r? ))] 



3z,y. < / < A (jr 1 ' (= p) A (Vi < ft < J. 7T* ^ A r k >r 

v[^d(p->(o?))]. 



Proo/ For the first implication, due to the semantics of MTL the following holds: 

3i,j. < z < j A {n 1 \= p) A (Vz <k<j.n k ^q) A £;("? > r . 
3z. (tf |= p) A Vj > z. (^I, 1 r t < r ^> 9 ) 
3z. (tf |= p) A (7T' ^ 0< r 9 ) 
3?. 7T' h= ->■ (^<r ?)) 

(p ^(<><rq)) ■ 
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For the other direction, 

% \£ □ (p -> (0< r q)) -)■ 3i. 71' |= --(p ->■ (<><' ?)) 

->• 3i. (jf* |= p) A (jr 1 ' ^ 0< r 

-> 3i. {if* \= p) A Vj > i. (S^" 1 r k <r^K^q) . 

Let i be such an index with % l \= p and Vj > i. (L^I- r /t < r ~~ y %} V 1 1)- If 71 a (P "~ * ?)) tnen 
we are ready. So assume 71 |= □ (p -> (O g)), implying that there is a smallest index Z > i with 7r' |= g. 
From the above it follows that Y*k=i r k > r - 

Note that by definition r > and thus Z > i. Let j = 1 — 1. From the minimality of Z we first conclude 
that V/ < k < j. % k Y= q. From the minimality of Z we furthermore conclude that the rewrite {tj} — > (t{\ 
is an instantaneous step, and thus YJk=i Vk = ^k=i r k > r - That means, 

3i,j. < i < j A (y |= p) A (Vi <k< j. n k \£q\ A £ r fc > r . 



The following main theorem formalizes the correctness of our transformation: Firstly, if the bounded 
response property holds, then the model checking algorithms will not provide any counterexample. Sec- 
ondly, if the bounded response model checking algorithm does not find any counterexample, and if there 
are no time-convergent counterexamples, then the property holds. 

Theorem 4.3. Let M be a real-time rewrite theory, Ln a labeling function for 3% with p,q Gil, and {to} 
an initial state of M. Let B$, Ln, and {Jo} be the result of the BR-transformation applied to Ln, and 
{?o}- Then 

<%,L n ,{t } \= □ (p -> (0< r q)) — ► ^,Ln,(k>} \= □ (clock(c BR ) < r), 

and 

&,Ln, {To} \= (□ (p -> (O ?))) A (□ (clock(c BR ) < r)) — ► ^,L n , {f } N D (p -> (^<r *))> 
where clock{cBR) denotes the value of the clock attribute of the clock object cbr- 
Proof. For the first statement we show that 

^,Ln,{k)} V= □ (clock(c BR ) < r) 

implies 

@,L u ,{t Q } (p -^(<><r?))- 

Thus assume &,Ln, {To} ^ □ (clock(csR) < r). That means, there exists a path % = {To} {T} A- . . . of 
& with f,- = < cbr : Clock | clock : x,-, status : yt > and a smallest index j such that 
xy > r. Since the clock value is initially and it increases only due to tick rules if the clock is on, the 
clock must have been switched on at some point before j. Furthermore, since j is minimal, the clock is 
continuously on from the last point where it was switched on till tj. 

Assume i < j to be the smallest index such that the clock is continuously on from ti till tj. Either i is 
and the initial state satisfies pA~<q and x, = 0, or i > and the rewrite from the (i — l)th state to the ith 
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state switched the clock from off to on and reset it to 0. In the latter case the corresponding rewrite has 
the condition that pA~<q holds in the jth state. Thus p A ->q A x,- = holds in state The clock was kept 
on from state tj till state tj. The only rules yielding this behavior are the tick rules increasing the clock 
value with the duration of the rewrite, and instantaneous rules assuring the invariance of ->q and letting 
the clock value untouched. Due to tick-invariance, tick rules cannot cause any change in the validity of 
the propositions, and -<q holds all the way from the ith till the jth state. Furthermore, the clock value at 
state j is the sum of the durations of the rewrites from the ith to the jth state. Thus 

3i,j. < i < j A (5? (=/>) A Ni < k< j. n k y=q\ A £ r k > r 

k=i 

holds and with Lemma |4~21 we get 7C \£ □ (p — > (0< r q)). Using Lemma |4~T1 we conclude that there is 
also a path n of M such that n ^ □ (p -)• (0< r q)) and thus M,L n , {t } ^ □ (p ->• (0< r q)). 

For the second statement assume that 

M,L n ,{k}^ u (P ->(0< r q)) 

holds. We show that it implies 

M,Ln,{to} V= (□(/> -+ (O q))) A (□ (clock(c BR ) < r)) . 

Due to the assumption there exists a path % = {to} {t\} -V . . . of M violating □(/?—>■ (0< r q)). 
Now, either ^,Ln,{fo} ^ — >• (O ^)) and we are ready, or due to Lemma |4~T1 there exists a path 
K = {T } % {ti } A- . . . of 3$ also violating □ (p -> (0< r q)). With Lemma l4~2l we get 

3i,y. < i < j A (5? |= p) A f V/ <k< j. if ^ q) A £ r fc > r. 

Let / and j be the smallest indices satisfying the above condition. 

• If i = then by the fact that n l \= p A ->q we have by definition that the clock in to is on and has 
the value 0. 

• If i > and for all n < i, t n does not satisfy p A ->q, then by definition of the initial state the clock 
is initially off and the clock does not get switched on until the (i — l)th state, thus the clock is off 
in the (i — l)th state. 

• If i > and there is an n < i with t„ satisfying p A -<q, then from the minimality of i we conclude 
that there is a minimal n <m< i such that t m satisfies q. From the minimality of m we conclude 
that {tm-i} r '^ 1 {t m } is due to an instantaneous rule, which, by definition, switches the clock off. 

Thus either i = and the clock is on in ti with value 0, or i > and the clock is off in state 
Furthermore, in the latter case the (i— l)th state satisfies ->p\/q (otherwise i would not be minimal), and 
the rewrite {fj-i} A (tj} is due to an instantaneous rule, which, again by definition, switches the clock 
on and resets its value to 0. 

We get that the clock is on with value in t{. As -117 holds all the way from the jth till the 7th state, 
the clock remains on from the ith till the jth state. The rewrites of M assure that the clock value in state 
tj is the duration W^. r# that is by assumption larger than r, what was to be shown. ■ 
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The following lemma states that finiteness of the state space is preserved under the /^-transformation, 
implying that our bounded response model checking algorithm terminates for finite-space systems. 
Lemma 4.4. Given a real-time rewrite theory ffl, a labeling function Ln of St with p,q G II an initial 
state {to} of ' ffl, and a fixed time sampling strategy, and furthermore, assuming that 

• there are only finitely many states reachable in Si from initial state {to} with the given time sam- 
pling, i.e., the set 

{{ti} | 71 = {t } 4 {h } A . . . G Paths{S?) to , i G N} 

is finite, and 

• the number of different rewrite durations in all possible paths in M from {to} under the given time 
sampling is finite, i.e., the set 

{ n I 71 = {to} 4 {h} A . . . G Paths{S?) Hv i G N} 

is finite, 

then the bounded response model checking algorithm for & using the same sampling strategy terminates. 

Proof. Assume that the above conditions hold. Notice that the bounded response model checking algo- 
rithm always terminates if the set of reachable states of the fi/?-transformation (from its initial state and 
under the given time sampling) is finite. 

Since all instantaneous rules in the /^-transformation M either leave the clock value untouched or 
reset the clock value to 0, the finiteness of the state space is preserved under the instantaneous rules of 
Si. For the tick rules, on the one hand, if the clock value gets larger than the bound r in the bounded 
response formula, then the model checking algorithm finds a counterexample and thus terminates. On 
the other hand, since there are only finitely many possible rewrite durations, there are only finitely many 
possible clock values less than or equal to r. So if the clock value never exceeds r than the reachable 
state space of the /^-transformation remains finite and the algorithm terminates in this case, too. ■ 

5 Case Studies 

This section briefly presents two case studies where we use the new model checking commands. The 
analysis has been performed on a 2.4GHz Intel® Core 2 Duo processor with 2 GB of RAM. 

5.1 A Network of Medical Devices 

We apply the new Real-Time Maude commands on a Real-Time Maude model of an interlock proto- 
col for a small network or medical devices, integrating an X-ray machine, a ventilator machine, and a 
controller. The example was proposed by Lui Sha, and the Real-Time Maude model is explained in lfl4l . 

The ventilator machine helps a sedated patient to breathe during a surgery. An X-ray can be taken 
during the surgery by pushing a button. To allow an X-ray to be taken without blurring the picture, the 
ventilator must be briefly turned off. Within a certain time bound, the X-ray must be taken and then the 
ventilation machine must be restarted. Furthermore, the ventilation machine should not be stopped too 
often. The model also addresses nondeterministic message delays and clock drifts. 

In this model, all events take place when some "timer" expires or when a message arrives. Therefore, 
as proved in |fl9l , the system can be analyzed using the maximal time sampling strategy which advances 
time until the next timer expires, so that the analyses remain sound and complete. One time unit in the 
specification corresponds to one millisecond in the case study. 
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Bounded Response Analysis. One requirement in this model is that "the ventilation machine should 
not pause for more than two seconds at a time." This can be expressed by the bounded response formula 



In order to analyze this property, we first define two state propositions, isPausing and isBreathing, 
in the expected way: isPausing holds for states in which the ventilation machine is not breathing, while 
isBreathing holds when the ventilation machine is breathing. The bounded response property is model 
checked using the following Real-Time Maude command: 

Maude> (br initState 1= isPausing => <>le( 2000 ) isBreathing .) 

The result of this command is a path representing a counterexample to the validity of the property: 

Property not satisfied 
Counterexample path: 

{< ct : Controller I clock : 0, lastPauseTime : > 

< u : User I pushButtonTimer : 0, pushlnterval : 60000 > 

< vm : VentMachine I state : breathing > 

< xr : X-ray I state : idle >} 

=> [pushButton] 

{< ct : Controller I clock : 0, lastPauseTime : > 

< u : User I pushButtonTimer : 60000, pushlnterval : 60000 > 

< vm : VentMachine I state : breathing > 

< xr : X-ray I state : idle > 
dly (pushButton, 0,50, 10)} 

=> [dlyMsgArrives] 



{< ct : Controller I clock : 11000/3, lastPauseTime : 3000 > 

< u : User I pushButtonTimer : 170000/3, pushlnterval : 60000 > 

< vm : VentMachine I state : stopBreathing(O) > 

< xr : X-ray I state : idle >} 

The result shows that the bounded response requirement does not hold. This is due to the fact that the 
ventilation machine may pause for 2.22 seconds, since its internal clock is a little slow (see 031)- A 
counterexample path is therefore produced, of which we display here only a part, showing the sequence 
of rules that have been applied to reach a state where the clock added internally to the system reaches a 
clock value greater than 2000. The analysis took less than a second to perform. 




=>[idle] 



{< ct : Controller I clock : 44000/21, lastPauseTime : 3000 > 

< u : User I pushButtonTimer : 1220000/21, pushlnterval : 60000 > 

< vm : VentMachine I state : stopBreathing(9000/7) > 

< xr : X-ray I state : idle >} 



=> [tick] 
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A similar analysis can be done to check whether the ventilation machine cannot pause for more than 
2.5 seconds. Since this property holds, the execution of the bounded response command will simply not 
stop, since the state space reachable from the initial state is not finite (i.e. due to the controller clock 
attribute, which just increases as time advances). 

Minimum Separation Analysis. Another requirement says that the ventilator cannot pause more than 
once in ten minutes. That is, the minimum separation between two pauses is ten minutes. This property 
can be model checked in Real-Time Maude as follows: 

Maude> (ms initState 1= isPausing separated by >= 600000 .) 
Property not satisfied 
Counterexample path: 

{< ct : Controller I clock : 0, lastPauseTime : > 

< u : User I pushButtonTimer : 0, pushlnterval : 60000 > 

< vm : VentMachine I state : breathing > 

< xr : X-ray I state : idle >} 

=> [pushButton] 



=> [stopBreathing] 

{< ct : Controller I clock : 5951000/9, lastPauseTime : 663000 > 

< u : User I pushButtonTimer : 530000/9, pushlnterval : 60000 > 

< vm : VentMachine I state : stopBreathing (2000) > 

< xr : X-ray I state : wait (2500/3) >} 

The requirement does not hold and a counterexample path is produced in less than 10 sees, leading to a 
state where the internal Clock object reaches a clock value smaller than 600000, while its status is off. 

5.2 A Four- Way Traffic Intersection System 

In this section, we analyze a bounded response property of an object-oriented Real-Time Maude model 
of a distributed fault-tolerant four- way traffic light controller for cars and pedestrians described in ifTTl . 
The traffic light system for the 4-way intersection is designed as a collection of autonomous concurrent 
objects that interact with each other by asynchronous message passing. The system is highly parametric: 
ten different parameters can be specified for an initial state, such as the presence of failures or emergency 
vehicles in the environment. Each 4-way intersection has two roads crossing in two directions: east-west 
(EW in the specification) and north-south (NS in the specification). Each road has its own traffic lights. 
Each pedestrian light has a button that can be pushed by a pedestrian in order to get the green light and 
cross the street. The behavior of the four-way intersection is as expected. 

We focus on the requirement that "no pedestrian should wait for more than five minutes" to cross a 
road. This corresponds to the bounded response formula 

□ ("pedestrian pushes the button" — > 0<5 mi „ "pedestrian light is green"). 

In order to analyze this property, we use the state propositions buttonPushed and pedLightGreen that 
take as parameter the direction of the crosswalk. In less than 3 minutes, we successfully verified that 



134 



Model Checking MTL Properties of Object-Oriented Real-Time Maude Specifications 



the pedestrian does not have to wait for more than 15 time units by executing the following Real-Time 
Maude command (a time unit corresponds to 15 seconds): 

Maude > (br initC'Imoan" , mznGreenTzme + 2, minRedTime, 0, 0, 0, 1, 1, false, 0) 
1= buttonPushed(NS) => <>le( 15 ) pedLightGreen(NS) .) 

Property satisfied 

Furthermore, executing the same command, but for 14 time units, returned a counterexample. 

6 Related Work 

There are several works determining decidable fragments of timed temporal logics (e.g., 13123]) in order 
to support model checking algorithms for real-time systems. The tools KRONOS IT27ll and REDLIB (261 
are two TCTL (timed CTL) model checkers for timed automata. The popular timed-automaton-based 
tool Uppaal @ provides model checking only for a "reachability subset" of TCTL that does not include 
bounded response or minimum separation. 

The contrast to our work is already explained in the introduction. Whereas the timed automaton 
formalism is quite restrictive for the exact purpose of achieving decidability of analyses, Real-Time 
Maude, and even its flat object-oriented subset considered in this paper, is a much more expressive model. 
The cost of this expressiveness is of course that most properties are in general undecidable for Real-Time 
Maude. So also for the model checking commands in this paper, which are not guaranteed to terminate 
for many Real-Time Maude models. Furthermore, since for dense time, Real-Time Maude executes 
the tick rules according to a time sampling strategy, we must also prove that, even when terminating, 
our model checking analyses are both sound and complete, using, e.g., the techniques in (19]. Another 
obvious difference is that we are covering only a fairly small, but important, subset of a MTL. 

7 Concluding Remarks 

This paper has explained how we have enriched the important class of flat object-oriented Real-Time 
Maude models with model checking features for bounded response and minimum separation properties. 

Object-oriented Real-Time Maude specifications capture many systems that cannot be specified as 
timed automata; indeed, all advanced Real-Time Maude applications have been so specified. It is there- 
fore not surprising that the model checking problems we address are undecidable in general. Therefore, 
our model checking analyses may fail to terminate, although they will terminate if the properties do not 
hold. Furthermore, our model checking commands are executed with a selected time sampling strategy, 
so that only a subset of all possible behaviors are analyzed. Hence, our analyses may be incomplete 
or unsound. Nevertheless, for object-oriented specifications we have identified easily checkable condi- 
tions that ensure soundness and completeness of (untimed) model checking. Further on the positive side, 
we have shown that (with reasonable assumptions on the treatment of dense time), our model checking 
analyses terminate when the reachable state space is finite. 

The implementation of our model checking procedures follows a transformational approach that 
takes advantage of Maude's high performance search command by transforming an MTL model check- 
ing problem into checking the validity of an invariant property. We proved the correctness of these 
transformations under mild conditions, such as tick-invariance and time divergence. 
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The model checking commands have been integrated into Real-Time Maude and have been success- 
fully used to model check a small network of medical devices lPT4l . as well as on a larger model of a 
traffic intersection system ifTTl . 

The present work is just our first foray into model checking metric temporal logic properties for 
Real-Time Maude specifications. Much work remains ahead. First of all, we should extend the class of 
MTL formulas we can model check, and extend the classes of Real-Time Maude models for which such 
model checking can be performed. For example, if the present techniques could be extended to non-flat 
(or hierarchical "Russian dolls") object-oriented Real-Time Maude specifications, then we would get for 
free model checkers for these properties for both behavioral AADL models and hierarchical Ptolemy II 
DE models. We should also extend the commands to analyze only paths up to a certain duration, so that 
the reachable state space becomes finite. The correctness proofs in this paper all deal with correctness 
w.r.t. the executed paths. We must of course further investigate the soundness and completeness of such 
analyses w.r.t. all possible behaviors of a system. 
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